Privacy Policy

ROOM42 INC. ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, store, and protect information when you use the ROOM42 website, software, and related services (collectively, the "Service"). By accessing or using the Service, you agree to the practices described in this policy.

1. Data We Access and Collect

1.1. Information You Provide Directly

• Account Information: Name, email address, and password when you register via email.
• Property Data: Property addresses, property type and class, acquisition dates, property values, land values, building specifications, unit details, and related tax planning information you enter into the Service.
• Payment Information: Transaction details processed through Stripe. We do not directly store your credit card numbers; payment processing is handled by Stripe in accordance with their privacy policy.
• Documents: Photos, floor plans, blueprints, invoices, and other files you upload to support your cost segregation study.
• Communications: Any messages, feedback, or support requests you send to us.

1.2. Google User Data

When you choose to sign in or register using "Continue with Google," we access the following data from your Google account through the OAuth 2.0 protocol:

• Name: Your display name as set in your Google account.
• Email Address: Your primary Google email address.
• Profile Picture: Your Google account profile image URL.

We do not request access to your Google contacts, Google Drive files, Gmail messages, calendar, or any other Google services beyond basic profile information required for authentication.

1.3. Automatically Collected Information

• Session Data: IP address and user agent string, collected when you sign in to maintain your session.
• Analytics Data: We use third-party analytics services (including Google Analytics, PostHog, Mixpanel, and Microsoft Clarity) to understand how users interact with the Service. These services may collect information such as pages visited, clicks, scroll depth, session duration, and device type.

2. How We Use Your Data

2.1. Google User Data Usage

Google user data (name, email, and profile picture) is used exclusively for:

• Account Authentication: Verifying your identity and signing you in to the Service.
• Account Creation & Linking: Creating your ROOM42 account or linking your Google account to an existing account with the same email address.
• Profile Display: Showing your name and profile picture within the application interface.
• Service Communications: Sending you account-related emails such as welcome messages, password reset links, and essential service notifications.

We do not use Google user data for advertising, profiling, or any purpose unrelated to providing and maintaining the Service.

2.2. General Data Usage

We use the data we collect to:

• Provide, operate, and maintain the Service.
• Generate cost segregation reports and depreciation schedules based on your property data.
• Process payments and manage your account.
• Improve, personalize, and optimize the Service through analytics.
• Communicate with you about your account, purchases, and Service updates.
• Detect, prevent, and address fraud and security issues.
• Comply with legal obligations.

3. Data Sharing

We do not sell your personal information or Google user data. We share data only in the following limited circumstances:

3.1. Service Providers

We share data with trusted third-party service providers who assist us in operating the Service, strictly for the purposes described below:

• Cloudflare: Infrastructure hosting, content delivery, and database services (D1, R2).
• Stripe: Payment processing. Stripe receives your payment information directly and is governed by Stripe's Privacy Policy.
• Analytics Providers: Google Analytics, PostHog, Mixpanel, and Microsoft Clarity receive anonymized or pseudonymized usage data to help us understand how the Service is used.
• Google Maps: Property address data may be sent to the Google Maps API for address autocomplete and geocoding purposes, subject to Google's Privacy Policy.
• Email Services: Your name and email address may be shared with our email delivery provider to send transactional emails (welcome emails, password resets, and account notifications).

3.2. CPA Review Add-On

If you purchase the CPA Review add-on service, your property data and cost segregation report may be shared with an independent Certified Public Accountant for the purpose of performing their review. This sharing occurs only at your explicit request when purchasing the add-on.

3.3. Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

3.4. Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

3.5. Google User Data Sharing

Google user data (name, email, and profile picture obtained via Google Sign-In) is not shared with any third parties except as necessary for infrastructure hosting (Cloudflare) and transactional email delivery. We do not share Google user data with advertising networks, data brokers, or any unrelated third parties.

4. Data Storage and Protection

4.1. Where Your Data Is Stored

Your data is stored using Cloudflare's infrastructure, including Cloudflare D1 (database) and Cloudflare R2 (file storage). Session tokens and authentication data are managed through secure, encrypted cookies.

4.2. Security Measures

We implement commercially reasonable security measures to protect your data, including:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
• Secure Authentication: Passwords are hashed using industry-standard algorithms and are never stored in plain text. OAuth tokens from Google are stored securely and used only for authentication purposes.
• Secure Cookies: Session cookies use Secure and SameSite attributes in production to prevent interception and cross-site request forgery.
• Access Controls: Administrative access to user data is restricted to authorized personnel only.
• Payment Security: Payment processing is handled entirely by Stripe, which is PCI DSS Level 1 certified. We never store your full credit card details on our servers.

4.3. Limitations

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from factors beyond our reasonable control.

5. Data Retention and Deletion

5.1. Retention Periods

• Account Data: Your name, email, and profile information (including data from Google Sign-In) are retained for as long as your account is active.
• Property & Report Data: Property information and generated reports are retained for as long as your account is active, so you can access and download them at any time.
• Payment Records: Transaction records are retained as required for accounting, tax, and legal compliance purposes.
• Session Data: Sessions expire after 7 days of inactivity and are automatically cleaned up.
• Analytics Data: Analytics data collected by third-party providers is retained according to their respective privacy policies and retention settings.

5.2. Requesting Data Deletion

You may request the deletion of your personal data at any time by contacting us at support@room42.io with the subject line "Data Deletion Request." Please include the email address associated with your account.

Upon receiving a verified deletion request, we will:

• Delete your account, profile information, and all associated Google user data.
• Delete your property data, uploaded documents, and generated reports.
• Revoke all active sessions.
• Remove your data from our active databases within 30 days.

Certain data may be retained in backups for a limited period or as required by law (for example, payment transaction records for tax and accounting purposes). We will inform you if any data cannot be deleted and the legal basis for its retention.

5.3. Account Deletion

You may delete your account through the Settings page in the application, or by contacting us directly. Account deletion will trigger the data deletion process described above.

6. Google API Services Compliance

ROOM42's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data for the purposes described in this Privacy Policy and do not use it for serving advertisements or for any purpose unrelated to the core functionality of the Service.

7. Cookies and Tracking Technologies

We use the following types of cookies:

• Essential Cookies: Required for authentication and session management. These cannot be disabled without losing access to the Service.
• Analytics Cookies: Used by third-party analytics providers (Google Analytics, PostHog, Mixpanel, Microsoft Clarity) to understand usage patterns and improve the Service.
• Advertising Cookies: Google Ads may use cookies for conversion tracking to measure the effectiveness of our advertising campaigns.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, as described in Section 5.
• Portability: Request your data in a machine-readable format.
• Objection: Object to certain processing of your personal data.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time by revoking access through your Google Account settings or by contacting us.

To exercise any of these rights, contact us at support@room42.io.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes are effective when posted on this page with an updated "Last Updated" date. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

11. Contact Us

If you have any questions about this Privacy Policy, your data, or how to exercise your rights, please contact us:

• Email: support@room42.io
• Website: room42.io/contact